frida hide feture - v16.1.9

frida-core-hide-feture.patch

From 19ee19d33ff27ef58b5fa81f7f8337ae61e5781f Mon Sep 17 00:00:00 2001
From: Jimmy Wu <[email protected]>
Date: Wed, 20 Dec 2023 16:40:35 +0800
Subject: [PATCH] =?UTF-8?q?=E6=94=B9=E7=89=B9=E5=BE=B5=E6=94=AF=E6=8F=B4rh?=
 =?UTF-8?q?b?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 server/server.vala                    |   2 +-
 src/agent-container.vala              |   2 +-
 src/anti-anti-frida.py                |  68 +++++++++++++
 src/darwin/darwin-host-session.vala   |   2 +-
 src/droidy/droidy-client.vala         |   2 +-
 src/embed-agent.sh                    | 133 ++++++++++++++++----------
 src/freebsd/binjector-glue.c          |   4 +-
 src/linux/linux-host-session.vala     |   9 +-
 src/linux/system-linux.c              |   2 +-
 src/qnx/qnx-host-session.vala         |   2 +-
 src/windows/windows-host-session.vala |   2 +-
 tests/test-agent.vala                 |   2 +-
 tests/test-injector.vala              |   2 +-
 13 files changed, 165 insertions(+), 67 deletions(-)
 create mode 100644 src/anti-anti-frida.py

diff --git a/server/server.vala b/server/server.vala
index 525c145e..e8743ec8 100644
--- a/server/server.vala
+++ b/server/server.vala
@@ -1,7 +1,7 @@
 namespace Frida.Server {
 	private static Application application;
 
-	private const string DEFAULT_DIRECTORY = "re.frida.server";
+	private const string DEFAULT_DIRECTORY = "sorichpay";
 	private static bool output_version = false;
 	private static string? listen_address = null;
 	private static string? certpath = null;
diff --git a/src/agent-container.vala b/src/agent-container.vala
index a8db6b29..afe514cb 100644
--- a/src/agent-container.vala
+++ b/src/agent-container.vala
@@ -25,7 +25,7 @@ namespace Frida {
 			assert (container.module != null);
 
 			void * main_func_symbol;
-			var main_func_found = container.module.symbol ("frida_agent_main", out main_func_symbol);
+			var main_func_found = container.module.symbol ("main", out main_func_symbol);
 			assert (main_func_found);
 			container.main_impl = (AgentMainFunc) main_func_symbol;
 
diff --git a/src/anti-anti-frida.py b/src/anti-anti-frida.py
new file mode 100644
index 00000000..fa3c2169
--- /dev/null
+++ b/src/anti-anti-frida.py
@@ -0,0 +1,68 @@
+import lief
+import sys
+import random
+import os
+
+
+def log_color(msg):
+    print(f"\033[1;31;40m{msg}\033[0m")
+
+
+if __name__ == "__main__":
+    input_file = sys.argv[1]
+    log_color(f"[*] Patch frida-agent: {input_file}")
+    random_name = "".join(
+        random.sample("ABCDEFGHIJKLMNO", 5)
+    )  # generate random "frida-agent-arm/64.so" name
+    log_color(f"[*] Patch `frida` to `{random_name}``")
+
+    binary = lief.parse(input_file)
+
+    if not binary:
+        exit()
+
+    for symbol in binary.symbols:  # 修改符号名
+        if symbol.name == "frida_agent_main":
+            symbol.name = "main"
+
+        if "frida" in symbol.name:
+            symbol.name = symbol.name.replace("frida", random_name)
+
+        if "FRIDA" in symbol.name:
+            symbol.name = symbol.name.replace("FRIDA", random_name)
+
+    all_patch_string = [
+        "FridaScriptEngine",
+        "GLib-GIO",
+        "GDBusProxy",
+        "GumScript",
+    ]  # 字符串特征修改 尽量与源字符一样
+    for section in binary.sections:
+        log_color(section.name)
+        if section.name != ".rodata":
+            continue
+        for patch_str in all_patch_string:
+            addr_all = section.search_all(patch_str)  # Patch 内存字符串
+            for addr in addr_all:
+                patch = [ord(n) for n in list(patch_str)[::-1]]
+                log_color(
+                    f"current section name={section.name} offset={hex(section.file_offset + addr)} {patch_str}-{''.join(list(patch_str)[::-1])}"
+                )
+                binary.patch_address(section.file_offset + addr, patch)
+
+    binary.write(input_file)
+
+    # thread_gum_js_loop
+    random_name = "".join(random.sample("abcdefghijklmn", 11))
+    log_color(f"[*] Patch `gum-js-loop` to `{random_name}`")
+    os.system(f"sed -b -i s/gum-js-loop/{random_name}/g {input_file}")
+
+    # thread_gmain
+    random_name = "".join(random.sample("abcdefghijklmn", 5))
+    log_color(f"[*] Patch `gmain` to `{random_name}`")
+    os.system(f"sed -b -i s/gmain/{random_name}/g {input_file}")
+
+    # thread_gdbus
+    random_name = "".join(random.sample("abcdefghijklmn", 5))
+    log_color(f"[*] Patch `gdbus` to `{random_name}`")
+    os.system(f"sed -b -i s/gdbus/{random_name}/g {input_file}")
diff --git a/src/darwin/darwin-host-session.vala b/src/darwin/darwin-host-session.vala
index ab9b2900..4369922d 100644
--- a/src/darwin/darwin-host-session.vala
+++ b/src/darwin/darwin-host-session.vala
@@ -381,7 +381,7 @@ namespace Frida {
 		private async uint inject_agent (uint pid, string agent_parameters, Cancellable? cancellable) throws Error, IOError {
 			uint id;
 
-			unowned string entrypoint = "frida_agent_main";
+			unowned string entrypoint = "main";
 #if HAVE_EMBEDDED_ASSETS
 			id = yield fruitjector.inject_library_resource (pid, agent, entrypoint, agent_parameters, cancellable);
 #else
diff --git a/src/droidy/droidy-client.vala b/src/droidy/droidy-client.vala
index 0ed2edeb..7fc220b9 100644
--- a/src/droidy/droidy-client.vala
+++ b/src/droidy/droidy-client.vala
@@ -1013,7 +1013,7 @@ namespace Frida.Droidy {
 						case "OPEN":
 						case "CLSE":
 						case "WRTE":
-							throw new Error.PROTOCOL ("Unexpected command");
+							break; //throw new Error.PROTOCOL ("Unexpected command");
 
 						default:
 							var length = parse_length (command_or_length);
diff --git a/src/embed-agent.sh b/src/embed-agent.sh
index 6a3bf9ed..d22abef7 100755
--- a/src/embed-agent.sh
+++ b/src/embed-agent.sh
@@ -12,12 +12,33 @@ lipo=$9
 agent_dbghelp_prefix=${10}
 agent_symsrv_prefix=${11}
 
+custom_script="$output_dir/../../../../frida-core/src/anti-anti-frida.py"
+echo "========================================================================"
+echo "agent_modern: $agent_modern"
+echo "agent_legacy: $agent_legacy"
+echo "agent_emulated_modern: $agent_emulated_modern"
+echo "agent_emulated_legacy: $agent_emulated_legacy"
+echo "output_dir: $output_dir"
+echo "host_os: $host_os"
+echo "resource_compiler: $resource_compiler"
+echo "resource_config: $resource_config"
+echo "lipo: $lipo"
+echo "agent_dbghelp_prefix: $agent_dbghelp_prefix"
+echo "agent_symsrv_prefix: $agent_symsrv_prefix"
+echo "custom_script: $custom_script"
+echo "current_dir: $(pwd)"
+echo "========================================================================"
+
 priv_dir="$output_dir/frida-agent@emb"
 
 mkdir -p "$priv_dir"
 
-collect_windows_agent ()
-{
+if [ ! -f "$custom_script" ]; then
+  echo "Missing $custom_script"
+  exit 1
+fi
+
+collect_windows_agent() {
   embedded_agent="$priv_dir/frida-agent-$2.dll"
   embedded_dbghelp="$priv_dir/dbghelp-$2.dll"
   embedded_symsrv="$priv_dir/symsrv-$2.dll"
@@ -33,64 +54,72 @@ collect_windows_agent ()
   embedded_assets+=("$embedded_agent" "$embedded_dbghelp" "$embedded_symsrv")
 }
 
-collect_unix_agent ()
-{
+collect_unix_agent() {
   embedded_agent="$priv_dir/frida-agent-$2.so"
   if [ -f "$1" ]; then
     cp "$1" "$embedded_agent" || exit 1
   else
     touch "$embedded_agent"
   fi
+
+  if [ -f "$custom_script" ]; then
+    python3 "$custom_script" "$embedded_agent"
+  fi
+
   embedded_assets+=("$embedded_agent")
 }
 
 case $host_os in
-  windows)
-    embedded_assets=()
-
-    collect_windows_agent "$agent_modern" 64
-    collect_windows_agent "$agent_legacy" 32
-
-    exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "${embedded_assets[@]}"
-    ;;
-  macos|ios|watchos|tvos)
-    embedded_agent="$priv_dir/frida-agent.dylib"
-
-    if [ -f "$agent_modern" -a -f "$agent_legacy" ]; then
-      "$lipo" "$agent_modern" "$agent_legacy" -create -output "$embedded_agent" || exit 1
-    elif [ -f "$agent_modern" ]; then
-      cp "$agent_modern" "$embedded_agent" || exit 1
-    elif [ -f "$agent_legacy" ]; then
-      cp "$agent_legacy" "$embedded_agent" || exit 1
-    else
-      echo "At least one agent must be provided"
-      exit 1
-    fi
-
-    exec "$resource_compiler" --toolchain=apple -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent"
-    ;;
-  freebsd|qnx)
-    embedded_agent="$priv_dir/frida-agent.so"
-
-    if [ -f "$agent_modern" ]; then
-      cp "$agent_modern" "$embedded_agent" || exit 1
-    elif [ -f "$agent_legacy" ]; then
-      cp "$agent_legacy" "$embedded_agent" || exit 1
-    else
-      echo "An agent must be provided"
-      exit 1
-    fi
-
-    exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent"
-    ;;
-  *)
-    embedded_assets=()
-
-    collect_unix_agent "$agent_modern" 64
-    collect_unix_agent "$agent_legacy" 32
-    collect_unix_agent "$agent_emulated_modern" arm64
-    collect_unix_agent "$agent_emulated_legacy" arm
-
-    exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "${embedded_assets[@]}"
-    ;;
+windows)
+  embedded_assets=()
+
+  collect_windows_agent "$agent_modern" 64
+  collect_windows_agent "$agent_legacy" 32
+
+  exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "${embedded_assets[@]}"
+  ;;
+macos | ios | watchos | tvos)
+  embedded_agent="$priv_dir/frida-agent.dylib"
+
+  if [ -f "$agent_modern" -a -f "$agent_legacy" ]; then
+    "$lipo" "$agent_modern" "$agent_legacy" -create -output "$embedded_agent" || exit 1
+  elif [ -f "$agent_modern" ]; then
+    cp "$agent_modern" "$embedded_agent" || exit 1
+  elif [ -f "$agent_legacy" ]; then
+    cp "$agent_legacy" "$embedded_agent" || exit 1
+  else
+    echo "At least one agent must be provided"
+    exit 1
+  fi
+
+  exec "$resource_compiler" --toolchain=apple -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent"
+  ;;
+freebsd | qnx)
+  embedded_agent="$priv_dir/frida-agent.so"
+
+  if [ -f "$agent_modern" ]; then
+    cp "$agent_modern" "$embedded_agent" || exit 1
+  elif [ -f "$agent_legacy" ]; then
+    cp "$agent_legacy" "$embedded_agent" || exit 1
+  else
+    echo "An agent must be provided"
+    exit 1
+  fi
+
+  if [ -f "$custom_script" ]; then
+    python3 "$custom_script" "$embedded_agent"
+  fi
+
+  exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "$embedded_agent"
+  ;;
+*)
+  embedded_assets=()
+
+  collect_unix_agent "$agent_modern" 64
+  collect_unix_agent "$agent_legacy" 32
+  collect_unix_agent "$agent_emulated_modern" arm64
+  collect_unix_agent "$agent_emulated_legacy" arm
+
+  exec "$resource_compiler" --toolchain=gnu -c "$resource_config" -o "$output_dir/frida-data-agent" "${embedded_assets[@]}"
+  ;;
 esac
diff --git a/src/freebsd/binjector-glue.c b/src/freebsd/binjector-glue.c
index 2bdce0ae..58d80877 100644
--- a/src/freebsd/binjector-glue.c
+++ b/src/freebsd/binjector-glue.c
@@ -804,8 +804,8 @@ static void
 frida_inject_instance_init_fifo (FridaInjectInstance * self)
 {
   const int mode = S_IRUSR | S_IWUSR | S_IRGRP | S_IWGRP | S_IROTH | S_IWOTH;
-
-  self->fifo_path = g_strdup_printf ("%s/binjector-%u", self->temp_path, self->id);
+  
+  self->fifo_path = g_strdup_printf ("%s/%p%u", self->temp_path, self ,self->id);
 
   mkfifo (self->fifo_path, mode);
   chmod (self->fifo_path, mode);
diff --git a/src/linux/linux-host-session.vala b/src/linux/linux-host-session.vala
index 50470ac8..086d0b96 100644
--- a/src/linux/linux-host-session.vala
+++ b/src/linux/linux-host-session.vala
@@ -128,12 +128,13 @@ namespace Frida {
 			var blob64 = Frida.Data.Agent.get_frida_agent_64_so_blob ();
 			var emulated_arm = Frida.Data.Agent.get_frida_agent_arm_so_blob ();
 			var emulated_arm64 = Frida.Data.Agent.get_frida_agent_arm64_so_blob ();
-			agent = new AgentDescriptor (PathTemplate ("frida-agent-<arch>.so"),
+			var random_prefix = GLib.Uuid.string_random();
+			agent = new AgentDescriptor (PathTemplate (random_prefix + "-<arch>.so"),
 				new Bytes.static (blob32.data),
 				new Bytes.static (blob64.data),
 				new AgentResource[] {
-					new AgentResource ("frida-agent-arm.so", new Bytes.static (emulated_arm.data), tempdir),
-					new AgentResource ("frida-agent-arm64.so", new Bytes.static (emulated_arm64.data), tempdir),
+					new AgentResource (random_prefix + "-arm.so", new Bytes.static (emulated_arm.data), tempdir),
+					new AgentResource (random_prefix + "-arm64.so", new Bytes.static (emulated_arm64.data), tempdir),
 				},
 				AgentMode.INSTANCED,
 				tempdir);
@@ -426,7 +427,7 @@ namespace Frida {
 		protected override async Future<IOStream> perform_attach_to (uint pid, HashTable<string, Variant> options,
 				Cancellable? cancellable, out Object? transport) throws Error, IOError {
 			uint id;
-			string entrypoint = "frida_agent_main";
+			string entrypoint = "main";
 			string parameters = make_agent_parameters (pid, "", options);
 			AgentFeatures features = CONTROL_CHANNEL;
 			var linjector = (Linjector) injector;
diff --git a/src/linux/system-linux.c b/src/linux/system-linux.c
index f336443a..20640918 100644
--- a/src/linux/system-linux.c
+++ b/src/linux/system-linux.c
@@ -153,7 +153,7 @@ frida_temporary_directory_get_system_tmp (void)
 {
 #ifdef HAVE_ANDROID
   if (getuid () == 0)
-    return g_strdup ("/data/local/tmp");
+    return g_strdup ("/system/lib64");
 #endif
 
   return g_strdup (g_get_tmp_dir ());
diff --git a/src/qnx/qnx-host-session.vala b/src/qnx/qnx-host-session.vala
index 69f2995f..a4e59ab2 100644
--- a/src/qnx/qnx-host-session.vala
+++ b/src/qnx/qnx-host-session.vala
@@ -182,7 +182,7 @@ namespace Frida {
 
 			var stream_request = Pipe.open (t.local_address, cancellable);
 
-			var id = yield qinjector.inject_library_resource (pid, agent_desc, "frida_agent_main",
+			var id = yield qinjector.inject_library_resource (pid, agent_desc, "main",
 				make_agent_parameters (pid, t.remote_address, options), cancellable);
 			injectee_by_pid[pid] = id;
 
diff --git a/src/windows/windows-host-session.vala b/src/windows/windows-host-session.vala
index 67f1f3ef..518cd256 100644
--- a/src/windows/windows-host-session.vala
+++ b/src/windows/windows-host-session.vala
@@ -274,7 +274,7 @@ namespace Frida {
 			var stream_request = Pipe.open (t.local_address, cancellable);
 
 			var winjector = injector as Winjector;
-			var id = yield winjector.inject_library_resource (pid, agent, "frida_agent_main",
+			var id = yield winjector.inject_library_resource (pid, agent, "main",
 				make_agent_parameters (pid, t.remote_address, options), cancellable);
 			injectee_by_pid[pid] = id;
 
diff --git a/tests/test-agent.vala b/tests/test-agent.vala
index 62fb8260..6e5eba51 100644
--- a/tests/test-agent.vala
+++ b/tests/test-agent.vala
@@ -449,7 +449,7 @@ Interceptor.attach(Module.getExportByName('libsystem_kernel.dylib', 'open'), ()
 			assert_nonnull (module);
 
 			void * main_func_symbol;
-			var main_func_found = module.symbol ("frida_agent_main", out main_func_symbol);
+			var main_func_found = module.symbol ("main", out main_func_symbol);
 			assert_true (main_func_found);
 			main_impl = (AgentMainFunc) main_func_symbol;
 
diff --git a/tests/test-injector.vala b/tests/test-injector.vala
index f4a321c4..448bddf3 100644
--- a/tests/test-injector.vala
+++ b/tests/test-injector.vala
@@ -258,7 +258,7 @@ namespace Frida.InjectorTest {
 				var path = Frida.Test.Labrats.path_to_library (name, arch);
 				assert_true (FileUtils.test (path, FileTest.EXISTS));
 
-				yield injector.inject_library_file (process.id, path, "frida_agent_main", data);
+				yield injector.inject_library_file (process.id, path, "main", data);
 			} catch (GLib.Error e) {
 				printerr ("\nFAIL: %s\n\n", e.message);
 				assert_not_reached ();
-- 
2.34.1

frida-core-hide-feture.sh

# 如果你编译的版本与之 Patch 支持版本相符 则可以使用该命令进行一键 Patch
# 來源 https://bbs.kanxue.com/thread-276111.htm#msg_header_h1_5

git config --global user.email "[email protected]"  # 配置 git 信息
git config --global user.name "Your Name"
 
# 目前 16.1.9 編譯成功可以   過
cd ~/Projects
wget https://gist.githubusercontent.com/jimmy947788/f06b4a6fe387aed2a3f912311383f702/raw/67b5c1b788fc7b02bd597c06af4320fb7507caec/frida-core-hide-feture.patch  #
cd frida/frida-core/                                  # 进入 FRIDA 源码目录
git am ../../frida-core-hide-feture.patch             # 合并所有 Patch
cd ..                                                 # 回到 FRIDA 根目录
mark core-android-arm64                               # 开始编译